How to configure 2 forest in Bigip APM

Okay, let's do this. Since this is an offline test is shouldn't hurt anything to add some static values for troubleshooting. We'll assume that client side NTLM is working, so we'll focus in on server side Kerberos SSO. Kerberos requires as input two populated session variables: by default, session.so.token.last.username and session.logon.last.domain. The first holds a domain user name (ex. bob), and the second holds the domain name (ex. DOMAIN1.COM). For the sake of testing, add a variable assignment agent at the end of the visual policy and hard-code these two values to known good values. For example:

session.sso.token.last.username = expr { "test.w" }
session.logon.last.domain = expo { "DOMAIN2.COM" }

Give that a try. Try it with known good DOMAIN1 and DOMAIN2 values. It won't matter what credentials you're using in the outlook client or what account you're logged in as, as the user values are hard-coded in the access policy. The point of this is to isolate the Kerberos SSO. If the APM log indicates that you get all the way to the SSL but fail, especially if DOMAIN1 values work but DOMAIN2 values don't, then you know for certain that there's something wrong with the SSO. That's where I'd start troubleshooting.